I have a program that has 11 variable that need to be inserted into a SQL 2008 Express DB. All works until the variables that can be NULL are NULL. Then the SQL does not get the data. Here is my code and appreciate all that can help:
private void PostDatatoServer()
{
String connectionString = #"Data Source=LUCKYTIGER\SQLEXPRESS;Initial Catalog=John;Integrated Security=True";
SqlConnection con = new SqlConnection(connectionString);
con.Open();
textBox1.Text = "Connection made";
SqlCommand cmd = con.CreateCommand();
string str = "";
str += "INSERT INTO Parsed(Date, Gal, Sys, Sl, ST, PN, PlayN, Sym, Rk, All, Rel)";
str += "VALUES(#Date, #Gal, #Sys, #Sl, #ST, #PN, #PlayN, #Sym, #Rk, #All, #Rel)";
SqlCommand cmd = new SqlCommand(str, con);
cmd.CommandType = CommandType.Text;
cmd.Parameters.Add(new SqlParameter("#Date", uegParser.strTime));
cmd.Parameters.Add(new SqlParameter("#Gal", Convert.ToInt16(uegParser.strGalaxyNum)));
cmd.Parameters.Add(new SqlParameter("#Sys", Convert.ToInt16(uegParser.strSystemNum)));
cmd.Parameters.Add(new SqlParameter("#Sl", uegParser.intSlot));
cmd.Parameters.Add(new SqlParameter("#ST", uegParser.intSlotType));
if (uegParser.strPlanetName == "")
cmd.Parameters.Add(new SqlParameter("#PN", SqlDbType.NVarChar).Value = DBNull.Value);
else
cmd.Parameters.Add(new SqlParameter("#PN", uegParser.strPlanetName));
if (uegParser.strPlayerName == "")
{
cmd.Parameters.Add(new SqlParameter("#PlayN", DBNull.Value));
TextBox2.Text = "Null player name";
}
else
{
cmd.Parameters.Add(new SqlParameter("#PlayN", uegParser.strPlayerName));
}
if (uegParser.strSymbols == "")
cmd.Parameters.Add(new SqlParameter("#Sys", DBNull.Value));
else
cmd.Parameters.Add(new SqlParameter("#Sym", uegParser.strSymbols));
if (uegParser.strRank == "")
cmd.Parameters.Add(new SqlParameter("#Rk", DBNull.Value));
else
cmd.Parameters.Add(new SqlParameter("#Rk", uegParser.strRank));
if (uegParser.strAlliance == "")
cmd.Parameters.Add(new SqlParameter("#All", DBNull.Value));
else
cmd.Parameters.Add(new SqlParameter("#All", uegParser.strAlliance));
cmd.Parameters.Add(new SqlParameter("#Rel", uegParser.intRelationship));
cmd.ExecuteNonQuery();
con.Close();
TextBox2.Text = "Connection closed";
}
The following is not an answer to your question but an example of all the places your code is abusing Ado.Net. Try to restructure any ado.net code you have in this manner. I do agree with the comments, your general approach is probably wrong however these are general pointers that you could probably benefit from in the rest of your code. Pointers are.
Always wrap SqlConnections in using blocks
Always use parameterized queries
Always specify the parameter SqlDbType (when using SqlServer obviously)
Always use the correct parameter types instead of adding string values
Refactored ado.net code
protected void btn_insert_Click(object sender, EventArgs e)
{
DataSet ds = new DataSet();
// i would not use Session unless necessary but that is out of scope for the question
// also do not forget to dispose the datatabale when finished and remove it from the session
ds = (DataSet)Session["DTset"];
// always wrap your SqlConnection in a using block
// it ensures the connection is always released
// also there is no reason to have this inside the loop
// there is no reason to close/reopen it every time
using(SqlConnection con = new SqlConnection(connStr))
{
con.Open(); // open once
for (int i = 1; i < ds.Tables[0].Rows.Count; i++)
{
// do not convert everything to strings, pick the correct type as it is in the table or convert it to the correct type if the table contains only strings
string Id = ds.Tables[0].Rows[i][0].ToString();
string Name = ds.Tables[0].Rows[i][1].ToString();
cmd = new SqlCommand("insert into tbl1(ID,Name) values (#ID,#Name)";
cmd.Parameters.AddWithValue("#ID", Id).SqlDbType = SqlDbType.; // pick the correct dbtype
cmd.Parameters.AddWithValue("#Name", Name).SqlDbType = SqlDbType.; // pick the correct dbtype
int j= cmd.ExecuteNonQuery();
// do not convert everything to strings, pick the correct type as it is in the table or convert it to the correct type if the table contains only strings
string Id1 = ds.Tables[0].Rows[i][2].ToString();
string Name1 = ds.Tables[0].Rows[i][3].ToString();
string VehicleTypeId = ds.Tables[0].Rows[i][4].ToString();
string VehicleType = ds.Tables[0].Rows[i][5].ToString();
string Capacity = ds.Tables[0].Rows[i][6].ToString();
string InsQuery = "insert into tbl2(Id,Name,Subject,status,review) values (#Id,#Name,#Subject,#status,#review)";
cmd = new SqlCommand(InsQuery,con);
cmd.Parameters.AddWithValue("#id", Id1).SqlDbType = SqlDbType.; // pick the correct dbtype
cmd.Parameters.AddWithValue("#Name", name1).SqlDbType = SqlDbType.; // pick the correct dbtype
// add the rest of your parameters here
int k= cmd.ExecuteNonQuery();
}
}
}
You should reconsider how you read your data from spreadsheet. Apparently you put the whole sheet into one big DataTable and then iterate over this. You should split your datareading, such that you only read the first two columns into one DataTable and the remaining five columns into a second DataTable. Then iterate over the two DataTables separately and save the contained rows into database.
If you really just want to prohibit to create rows with null values, you could simply check your values for null before you do the insert.
if (!String.IsNullOrEmpty(Id) && !String.IsNullOrEmpty(Name)) {
cmd = new SqlCommand( ....);
cmd.ExecuteNonQuery();
}
Additionally some hints:
Take a look at parametrized and prepared queries, they make your code a lot more secure.
You do not need to open and close your sql connection for every single command. You can open it before your loop, create and execute some commands, and close it after the loop, when your are finished.
You are missing the first row of your data. The vast majority of collections in c# start at index 0.
EDIT
For your request, I added the null checks into your code. But I really don't think you should do it this way! Like I mentionioned above, you should split your datatable into two tables, such that each of them only contains the relevant rows. And you should have a look at Igor's answer on how to create parameterized queries! And take into account the other hints from above. And finally, I don't mean to be rude, but you really should grab a good book or some tutorials from the web and learn the basics, so you will be able to understand the anwswers to your question.
protected void btn_insert_Click(object sender, EventArgs e)
{
DataSet ds = new DataSet();
ds = (DataSet)Session["DTset"];
for (int i = 1; i < ds.Tables[0].Rows.Count; i++)
{
string Id = ds.Tables[0].Rows[i][0].ToString();
string Name = ds.Tables[0].Rows[i][1].ToString();
SqlConnection con = new SqlConnection(connStr);
SqlCommand cmd;
if (!string.IsNullOrEmpty(Id) && !string.IsNullOrEmpty(Name)) {
cmd = new SqlCommand("insert into tbl1(ID,Name) values ('" + Id + "','" + Name + "')", con);
con.Open();
int j= cmd.ExecuteNonQuery();
con.Close();
}
string Id1 = ds.Tables[0].Rows[i][2].ToString();
string Name1 = ds.Tables[0].Rows[i][3].ToString();
string VehicleTypeId = ds.Tables[0].Rows[i][4].ToString();
string VehicleType = ds.Tables[0].Rows[i][5].ToString();
string Capacity = ds.Tables[0].Rows[i][6].ToString();
if (!string.IsNullOrEmpty(Id1) && !string.IsNullOrEmpty(Name1) && !string.IsNullOrEmpty(VehicleTypeId) && !string.IsNullOrEmpty(VehicleType) && !string.IsNullOrEmpty(Capacity)) {
string InsQuery = "insert into tbl2(Id,Name,Subject,status,review) values ('" + Id1 + "','" + Name1 + "','" + Subject+ "','" + status+ "','" + review+ "')";
cmd = new SqlCommand(InsQuery,con);
con.Open();
int k= cmd.ExecuteNonQuery();
con.Close();
}
}
}
Fool-proof solution: use SQL Stored procedure.
--sql
create procedure dbo.Parsed_i
#Date datetime,
#Gal int,
--so on
#PN nvarchar(100) = null --default value
--so on
as
INSERT INTO Parsed(Date, Gal, Sys, Sl, ST, PN, PlayN, Sym, Rk, All, Rel)
VALUES(#Date, #Gal, #Sys, #Sl, #ST, #PN, #PlayN, #Sym, #Rk, #All, #Rel)
//C#
//...
SqlCommand cmd = new SqlCommand("dbo.Parsed_i", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("#ST", SqlDbType.Int).Value = uegParser.intSlotType;
if (!string.IsNullOrEmpty(uegParser.strPlanetName))
cmd.Parameters.Add("#PN", SqlDbType.NVarChar).Value = uegParser.strPlanetName;
//note: no **else** part
//so on
Related
I'm a beginner in SQL and c#. I'm trying to create a system that will lead the user to eligibility form if they have not done it before, but an error that says invalid column name keeps popping.
string query = "select * from Eligibility where Name = " + textBox1.Text;
sql.Open();
SqlCommand cmd = new SqlCommand(query, sql);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
label6.Text = (dr["name"].ToString());
}
sql.Dispose();
if (label6.Text == textBox1.Text)
{
this.Hide();
UserHomeView uhv = new UserHomeView();
uhv.Show();
}
else
{
this.Hide();
Eligibility eli = new Eligibility();
eli.Show();
}
You missed the single quotation
string query = "select * from Eligibility where Name = '" + textBox1.Text + "'";
Even so, there is some serious problem with the above code. This can cause a serious sql injection problem for you Check wikipedia entry on this
It's better to use the add parameters function which will sanitize the input and make it safe for you to execute the query.
The best solution would be something like this
string query = "select * from Eligibility where Name = #Name";
sql.Open();
SqlCommand cmd = new SqlCommand(query, sql);
cmd.Parameters.Add("#Name", SqlDbType.VarChar).Value = textBox1.Text;
This way, your query will be injection safe.
Just to build on what others have said:
Once you're comfy with doing things this way check out Stored Procedures.
Stored Procedures lets you save the query in the database and all you do on the c# side is call the Stored Procedure and add the required parameters.
These tend to be a better way of doing this as you can then learn about how to restrict access to your database for only certain users and also it means the Query itself is in an environment that will check for mistakes as well.
This is a good article as an introduction to them:
http://www.sqlservertutorial.net/sql-server-stored-procedures/
You can use Parameters of SqlCommand, like this:
string query = "select * from Eligibility where Name = #Name";
sql.Open();
SqlCommand cmd = new SqlCommand(query, sql);
cmd.Parameters.Add("#Name", SqlDbType.Text);
cmd.Parameters["#Name"].Value = textBox1.Text;
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
label6.Text = (dr["name"].ToString());
}
sql.Dispose();
if (label6.Text == textBox1.Text)
{
this.Hide();
UserHomeView uhv = new UserHomeView();
uhv.Show();
}
else
{
this.Hide();
Eligibility eli = new Eligibility();
eli.Show();
}
If I put "if, foreach, and else statement under comment //", the program works and Reduces book count by 1 from SQL database. But I want to check IF there is at least 1 available book to give. This code keeps showing me the message in "else" statement if I leave it like this. Help is needed fast, it's my final project, that is needed to be done before 23.07. :(
int book_qty = 0;
SqlCommand cmd2 = connection.CreateCommand();
cmd2.CommandType = CommandType.Text;
cmd2.CommandText = "SELECT * FROM Book_list WHERE BookName = '" + TextBoxBookName + "'";
cmd2.ExecuteNonQuery();
DataTable dt2 = new DataTable();
SqlDataAdapter da2 = new SqlDataAdapter(cmd2);
da2.Fill(dt2);
foreach (DataRow dr2 in dt2.Rows)
{
book_qty = Convert.ToInt32(dr2["book_qty"].ToString());
}
if (book_qty > 0)
{
SqlCommand cmd = connection.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "INSERT INTO Issue_book VALUES(" + TextBoxSearchMembers.Text + ",'" + TextBoxMemberName.Text + "','" + TextBoxMemberContact.Text + "','" + TextBoxMemberEmail.Text + "','" + TextBoxBookName.Text + "', '" + DateTimePicker1.Text + "')";
cmd.ExecuteNonQuery();
SqlCommand cmd1 = connection.CreateCommand();
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = "UPDATE Book_list SET BookAvailability = BookAvailability-1 WHERE BookName ='" + TextBoxBookName.Text + "'";
cmd1.ExecuteNonQuery();
MessageBox.Show("successful issue");
this.Close();
else
{
MessageBox.Show("Book not available");
}
You are only checking book_qty from the last row in your result set instead of BookAvailability for all rows. You probably want to do something like:
SqlCommand cmd2 = connection.CreateCommand();
cmd2.CommandType = CommandType.Text;
cmd2.CommandText = "SELECT BookAvailability FROM Book_list WHERE BookName = '" + TextBoxBookName + "'";
var result = cmd2.ExecuteScalar();
book_qty = Convert.ToInt32(result);
You need to make sure that there is only one book with the given bookname available.
In that case just correcting this one line in your code would help as well:
book_qty = Convert.ToInt32(dr2["book_qty"].ToString());
to
book_qty = Convert.ToInt32(dr2["BookAvailability"].ToString());
Otherwise you'd need to query SUM(BookAvailability), but the following code would decrease the amount of books for multiple books at once, that wouldn't be good.
Untested code. I don't have your database. Comments and explanation in line.
private void OPCode()
{
try
{
//keep your connections close to the vest (local)
using (SqlConnection connection = new SqlConnection())
//a using block ensures that your objects are closed and disposed
//even if there is an error
{
using (SqlCommand cmd2 = new SqlCommand("SELECT BookAvailability FROM Book_list WHERE BookName = #BookName", connection))
{
//Always use parameters to protect from sql injection
//Also it is easier than fooling with the single quotes etc.
//If you are referring to a TextBox you need to provide what property is
//being accessed. I am not in a WPF right now and not sure if .Text
//is correct; may be .Content
//You need to check your database for correct data type and field size
cmd2.Parameters.Add("#BookName", SqlDbType.VarChar, 100).Value = TextBoxBookName.Text;
//A select statement is not a non-query
//You don't appear to be using the data table or data adapter
//so dump them extra objects just slow things dowm
connection.Open();
//Comment out the next 2 lines and replaced with
//Edit Update
//var returnVal = cmd2.ExecuteScalar() ?? 0;
//if ((int)returnVal > 0)
//*************************************************************
//Edit Update
//*************************************************************
//in case the query returns a null, normally an integer cannot
//hold the value of null so we use nullable types
// the (int?) casts the result of the query to Nullable of int
Nullable<int> returnVal = (int?)cmd2.ExecuteScalar();
//now we can use the .GetValueOrDefault to return the value
//if it is not null of the default value of the int (Which is 0)
int bookCount = returnVal.GetValueOrDefault();
//at this point bookCount should be a real int - no cast necessary
if (bookCount > 0)
//**************************************************************
//End Edit Update
//**************************************************************
{
using (SqlCommand cmd = new SqlCommand("INSERT INTO issue_book VALUES(#SearchMembers etc", connection))
{
//set up the parameters for this command just like the sample above
cmd.Parameters.Add("#SearchMembers", SqlDbType.VarChar, 100).Value = TextBoxSearchMembers.Text;
cmd.ExecuteNonQuery();
}
using (SqlCommand cmd1 = new SqlCommand("UPDATE Book_list SET BookAvailability = BookAvailability-1 WHERE BookName = #BoxBookName;", connection))
{
cmd1.Parameters.Add("#BoxBookName", SqlDbType.VarChar, 100);
cmd1.ExecuteNonQuery();
}
MessageBox.Show("success");
this.Close();
}
else
{
MessageBox.Show("Book not available");
}
}
}
}
catch (Exception exc)
{
MessageBox.Show(exc.ToString());
}
}
I'm trying to get a value from my database but it keeps returning a value of 0 and i cannot figure out why. I've been retrieving data from the database for the whole of my project and it is just not working here. None of the values in the database are = to 0.
int rentalPrice is the one being returned as 0`
protected void Page_Load(object sender, EventArgs e)
{
if (Request.QueryString["id"] == null)
{
Response.Redirect("DisplayCars.aspx");
}
else
{
id = Convert.ToInt32(Request.QueryString["id"].ToString());
con.Open();
SqlCommand cmd = con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "select * from cars where id ='" + id + "'";
cmd.ExecuteNonQuery();
lblCarID.Text = id.ToString();
DataTable dt2 = new DataTable();
SqlDataAdapter da2 = new SqlDataAdapter(cmd);
foreach (DataRow dr2 in dt2.Rows)
{
rentalPrice = Convert.ToInt32(dr2["car_rental_price"]);
}
lblRentalPrice.Text = rentalPrice.ToString();
con.Close();
}
// This uses a Connection pool, so you don't need to reuse the same SqlConnection
using (SqlConnection con = new SqlConnection(...))
{
using (SqlCommand cmd = con.CreateCommand())
{
cmd.CommandType = CommandType.Text;
cmd.CommandText = "select [car_rental_price] from cars where id = #Id";
var idParam = new SqlParameter("#Id");
idParam.Value = id;
cmd.Parameters.Add(idParam);
con.Open();
using (var reader = cmd.ExcecuteReader())
{
reader.Read();
lblRentalPrice.Text = reader.GetInt32(0).ToString();
lblCarID.Text = id.ToString();}
}
}
}
To execute a query and get results, you need to use cmd.ExecuteReader.
Also, rather than concatenating values into a string to build your SQL query, you need to use parameterized queries. This helps prevent SQL Injection attacks.
Also, SqlConnection should not be put in a field (class level variable). Instead, you should use local variables and wrap them in a using statement to ensure that they get disposed of properly.
hey you did not fill the Data Table.. then how it has any Values???
first Fill the data Table and use it in Foreach loop
adapter.Fill(DataTable);
foreach(DataRow dr in DataTable)
{
//get the id
}
I'am making a time attendance system and I don't know how to store datetime in database. I really need some help with my system if anyone has any code for time attendance please share your Code a little help would do thanks..
Here is my Code:
con = newSqlConnection(#"DataSource=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True;User Instance=True");
dt = new DataTable();
cmd = new SqlCommand(#"SELECT EmpID FROM data WHERE EmpID='" + Code.Text + "'", con);
con.Open();
sdr = cmd.ExecuteReader();
int count = 0;
while (sdr.Read())
{
count = count + 1;
}
con.Close();
if (count == 1)
{
con.Open();
DateTime dtn = DateTime.Now;
dtn = Convert.ToDateTime(DateTime.Now.ToString("hh:mm"));
string query = #"INSERT INTO Time (TimeIn) Values ('" + dtn + "')";
cmdd = new SqlCommand(query, con);
sdr = cmdd.ExecuteReader();
sdr.Read();
dataGridView.DataSource = databaseDataSet.Time ;
con.Close();
MessageBox.Show("Verify Ok");
}
else
{
MessageBox.Show("Please Try Again");
}
Do not use ExecuteReader() but ExecuteNonQuery(); add query parameters, do not modify query text, technically it could be something like that:
...
if (count == 1) {
...
DateTime dtn = DateTime.Now;
string query =
#"insert into Time (
TimeIn)
values (
#TimeIn)"; // <- query parameter instead of query text modification
using (var query = new SqlCommand(query, con)) {
// bind query parameter with its actual value
query.Parameters.AddWithValue("#TimeIn", dtn);
// Just execute query, no reader
query.ExecuteNonQuery();
}
...
However, table Time as it appears in the question looks very strange, hardly does it contain TimeIn field only.
I have the following method to inserting data into an an access databasewhich works fine but I do get a problem if I try to insert text that contains single quotes I have learned.
[WebMethod]
public void bookRatedAdd(string title, int rating, string review, string ISBN, string userName)
{
OleDbConnection conn;
conn = new OleDbConnection(#"Provider=Microsoft.Jet.OleDb.4.0;
Data Source=" + Server.MapPath("App_Data\\BookRateInitial.mdb"));
conn.Open();
OleDbCommand cmd = conn.CreateCommand();
cmd.CommandText = #"INSERT INTO bookRated([title], [rating], [review], [frnISBN], [frnUserName])VALUES('" + title + "', '" + rating + "','" + review + "','" + ISBN + "', '" + userName + "')";
cmd.ExecuteNonQuery();
conn.Close();
}
From what I understand one of the ways to solve the problem is by using parameters. I am not sure how to do this to be honest. How could I change the above code so that I insert the data by using parameters instead?
Same as for any other query:
a) Replace actual hardcoded parameters in your OleDbCommand with placeholders (prefixed with #),
b) Add instances of OleDbParameter to the DbCommand.Parameters property. Parameter names must match placeholder names.
[WebMethod]
public void bookRatedAdd(string title, int rating, string review, string ISBN, string userName)
{
using (OleDbConnection conn = new OleDbConnection(
"Provider=Microsoft.Jet.OleDb.4.0;"+
"Data Source="+Server.MapPath("App_Data\\BookRateInitial.mdb"));
{
conn.Open();
// DbCommand also implements IDisposable
using (OleDbCommand cmd = conn.CreateCommand())
{
// create command with placeholders
cmd.CommandText =
"INSERT INTO bookRated "+
"([title], [rating], [review], [frnISBN], [frnUserName]) "+
"VALUES(#title, #rating, #review, #isbn, #username)";
// add named parameters
cmd.Parameters.AddRange(new OleDbParameter[]
{
new OleDbParameter("#title", title),
new OleDbParameter("#rating", rating),
...
});
// execute
cmd.ExecuteNonQuery();
}
}
}
You have to use Parameter to insert Values. Its is allso a security Issue.
If you do it like that a sql injection could by made.
Try like this:
string ConnString = Utils.GetConnString();
string SqlString = "Insert Into Contacts (FirstName, LastName) Values (?,?)";
using (OleDbConnection conn = new OleDbConnection(ConnString))
{
using (OleDbCommand cmd = new OleDbCommand(SqlString, conn))
{
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("FirstName", txtFirstName.Text);
cmd.Parameters.AddWithValue("LastName", txtLastName.Text);
conn.Open();
cmd.ExecuteNonQuery();
}
}
For Microsoft Access the parameters are positional based and not named, you should use ? as the placeholder symbol although the code would work if you used name parameters provided they are in the same order.
See the documentation for OleDbCommand.Parameters Property
Remarks
The OLE DB .NET Provider does not support named parameters for passing parameters to an SQL statement or a stored procedure called by an OleDbCommand when CommandType is set to Text. In this case, the question mark (?) placeholder must be used. For example:
SELECT * FROM Customers WHERE CustomerID = ?
Therefore, the order in which OleDbParameter objects are added to the OleDbParameterCollection must directly correspond to the position of the question mark placeholder for the parameter in the command text.
Be sure to include the expected schema type where the parameter will be used AND the schema length if applicable.
I also recommend you always use using statements around your instances where the type implements IDisposable like the OleDbConnection so that the connection is always closed even if an exception is thrown in the code.
Changed Code:
var connectionStringHere = #"Provider=Microsoft.Jet.OleDb.4.0;Data Source=" + Server.MapPath("App_Data\\BookRateInitial.mdb";
using (var conn = new OleDbConnection(connectionStringHere))
using (var cmd = conn.CreateCommand())
{
cmd.CommandText = "INSERT INTO bookRated ([title], [rating], [review], [frnISBN], [frnUserName]) VALUES(?, ?, ?, ?, ?)";
cmd.Parameters.Add(new OleDbParameter("?", OleDbType.VarChar, 100) { Value = title});
cmd.Parameters.Add(new OleDbParameter("?", OleDbType.Integer) { Value = rating });
cmd.Parameters.Add(new OleDbParameter("?", OleDbType.VarChar, 2000) { Value = review });
cmd.Parameters.Add(new OleDbParameter("?", OleDbType.VarChar, 60) { Value = ISBN });
cmd.Parameters.Add(new OleDbParameter("?", OleDbType.VarChar, 256) { Value = userName });
conn.Open();
var numberOfRowsInserted = cmd.ExecuteNonQuery();
}